Hi, David. > There should probably be a message mentioning the issue rather than a confusing hashsum mismatch through, so I am not going to ignore the bug as such.
True... considering as a distribution maintainer it took me nearly three days to figure out (the second day I decided to file a bug), a warning can be really useful. Best regards, Jeff Bai On Sun, Nov 29, 2015 at 4:19 PM, David Kalnischkies <da...@kalnischkies.de> wrote: > Control: severity -1 wishlist > Control: retitle -1 warn if Release file includes only broken hashes > > On Sun, Nov 29, 2015 at 11:21:44AM -0700, Jeff Bai wrote: > > Please ignore this bug! The issue can be solved with adding SHA1 and > SHA256 > > hash sum information to the Release file. > > There should probably be a message mentioning the issue rather than > a confusing hashsum mismatch through, so I am not going to ignore the > bug as such. > > > > We only provided MD5Sum before, and that apparently annoys Apt 1.1. Bug > > extra security for the users, eh? > > Yeap, apt 1.1 ignores MD5 for security purposes as it can be considered > broken. Note that SHA1 is on its (long) way out as that is close to be > broken, too, so SHA256 (or SHA512) is currently best practice (given > that this is what gpg is using for signatures, so more wouldn't have an > effect). > > > Best regards > > David Kalnischkies >
